Вы находитесь на странице: 1из 46

s.

ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
re
or
th
Au
Securing a
2,

Debian Linux Laptop


00

for
-2

Road Warriors
00
20
te
tu
sti
In
NS
SA
©

By Stephanie
Key fingerprint = AF19 FA27 2F94 998D FDB5 Thomas
DE3D F8B5 06E4 A169 4E46
for SANS GCUX Certification
Version 1.6b, Option 1
April 4, 2001

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Table of Contents
Introduction.............................................................................................................................4
Assessing the Risks.................................................................................................................4
Choosing the Right Laptop...................................................................................................5
BIOS Power On Password..................................................................................................5

s.
ht
BIOS Supervisor Password.................................................................................................5
Hard Drive Password ..........................................................................................................6

rig
Security Screw for the Hard Drive.....................................................................................6
Hardware Locks...................................................................................................................6

ull
Debian Operating System Installation................................................................................6

f
First Thing's First - Partitioning the Hard Drive................................................................7

ns
Installing the Operating System and Device Driver Modules, Base System
KeyConfiguration.......................................................................................................................7
fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
Selecting Packages to Install...............................................................................................7

re
Kernel.......................................................................................................................................8
Securing Network Services ...................................................................................................8

or
Securing LILO ......................................................................................................................10

th
Setting Password and Login Policies.................................................................................10
Au
NTP.........................................................................................................................................12
Logging...................................................................................................................................13
2,
Remote System Administration, File Access (Copy and Transfer) and E-mail .........14
00

Installation..........................................................................................................................14
Setting up the Secure Shell daemon to Start on Boot.....................................................15
-2

Authentication....................................................................................................................15
Setting up Local Tunnels for E-mail ................................................................................16
00

Tightening up Access to Secure Shell..............................................................................17


20

Email and File Confidentiality...........................................................................................18


'Defensive' Security Measures............................................................................................18
te

TCP Wrappers ...................................................................................................................18


tu

Packet Firewall - IPChains................................................................................................18


sti

Psionic Portsentry..............................................................................................................19
Tripwire..............................................................................................................................19
In

Updating using apt-get ......................................................................................................19


NS

Backup, Backup, Backup..................................................................................................20


'Offensive' Security Measures............................................................................................21
SA

Nmap ..................................................................................................................................22
Tiger, Tara, SATAN, SAINT, Sara, and Nessus.............................................................22
©

Password Cracking Programs...........................................................................................23


User Education......................................................................................................................23
Passwords...........................................................................................................................23
Hardware Protection..........................................................................................................23
Backups..............................................................................................................................24
KeyOther
fingerprint = AF19 FA27
Good Practices 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
........................................................................................................24
Conclusion ..............................................................................................................................24

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Checklist - Securing a Debian Linux Laptop for Road Warriors ................................25
Appendix A ............................................................................................................................29
Appendix B ............................................................................................................................32
Appendix C ............................................................................................................................45

s.
ht
rig
f ull
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
re
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Introduction

For as long as mobile computers have been around, System Administrators have had to
wrestle with the problems of securing them. Having a portable computer, while

s.
immensely advantageous to the user, can present some unique and challenging security

ht
vulnerabilities to the System Administrator. Many laptop users work remotely where

rig
their computers are exposed to a hostile network. To ensure productivity, remote users
must be able to securely access email and files stored within the company's internal

ull
network. In addition, laptops are easy to steal - there have been numerous cases of laptop
theft at the U.S. State Department within the past year :

f
http://www.cnn.com/2000/US/04/17/state.computer.02/

ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
All of these demonstrate how vulnerable a laptop containing corporate information can be

re
- and how very important it is that every available step is taken to protect the data that
these computers contain. While no computer can be completely secure, System

or
Administrators need to employ all security measures possible - from hardware locks,

th
BIOS power on, hard drive and supervisor passwords, to properly hardening the
operating system - to ensure that these 'Road Warrior' laptops are not only protected
Au
themselves - but that they do not expose the entire company's network by providing
attackers with valuable information with which to conduct an attack - See:
2,

http://www.zdnet.com/zdnn/stories/news/0,4586,2648861,00.html
00
-2

Defining the Role of the Computer


00

Defining the role of the computer will help you to determine what the risks are, as well as
20

how to limit those risks.


te

This guide will focus on securing a business laptop with the role of primary workstation
tu

for a user who either works from home or travels and requires remote file and email
access. The laptop will have the latest version of the Debian operating system installed,
sti

which is based on the Linux kernel.


In

Assessing the Risks


NS

As the user will be working remotely, connection to the company's network will be
SA

essential. The manner in which the user connects to the internet can have an affect on the
level of risk - but each will cause some level of exposure. Each administrator will need
©

to evaluate the specific situation they face and take the appropriate steps to address the
risks associated with that scenario. Following are some of the most common remote
access methods.

The fingerprint
Key most common access
= AF19 method
FA27 2F94 for
998D remote
FDB5users
DE3Dis F8B5
through a ppp,
06E4 A169or 4E46
dial-up modem
connection. Regardless what the user's most frequently used remote access method is, as

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
an administrator, you will almost certainly have to provide some sort of dial-up access to
the user at one point or another. Even a home DSL user may travel to a customer's site or
a conference where they only have modem access from their hotel room. Take steps to
secure this type of connection even if it will not be the user's primary remote access
method.

s.
ht
DSL and high-speed cable internet providers are becoming very popular access methods.

rig
The access is fast, and the cost is reasonable. These advantages also work in favor of the
hackers - fast, cheap access means more break-in attempts in less time. Cable and DSL

ull
services are known to be popular with the hacker community - see
http://www.zdnet.com/zdnn/stories/news/0,4586,2604170,00.html. In addition, providers

f
have not always been very responsive to administrators' requests for assistance when

ns
tracking
Key hackers= down
fingerprint AF19(same
FA27 article).
2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
re
ISDN can also provide fast access, but the cost is prohibitive and setup is less than
intuitive. ISDN's popularity has dwindled with the advent of DSL and high-speed cable

or
internet access.

th
Some other methods which are gaining ground are Ricochet, which offers wireless
Au
modem access at speeds of up to 128K, and wireless LAN.
2,

Most of these can be made more secure through the use of IPChains or some form of
00

VPN.
-2

In addition to network access issues, the portability of laptop computers makes them very
00

easy to steal. Physical security is often very difficult to achieve on something designed
20

to be easy to carry, but there are measures that System Administrators can take to address
this concern.
te
tu

Choosing the Right Laptop


sti

When deciding which laptop computer to provide for your remote users, you should look
In

for the following features:


NS

BIOS Power On Password


SA

Most computers have a BIOS power on password. Although on the majority of


computers this password is easy enough to circumvent, it should still be set to help
©

prevent the merely curious from gaining access to the computer's data. You should not
be able to boot the computer without entering this password. Both the user and the system
administrator should have this password.

BIOSfingerprint
Key Supervisor Password
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
This password protects the BIOS settings itself, which will help prevent changing of the
boot order to enable booting from other media. You may also be able to disable floppy
and CDROM access altogether. No one should be able to gain access to the BIOS
without entering this password. On some laptops, the security provided by this password
cannot be circumvented by resetting the BIOS or pulling the CMOS battery - if you

s.
forget the password, you must replace the system board to access the BIOS. Take Care

ht
when assigning this password! Only the administrator should have this password.

rig
Hard Drive Password

ull
Some laptop computers also offer an additional password restricting access to the hard

f
drive itself. This password must be entered before the computer can be booted from the

ns
hard fingerprint
Key drive. It=should not be
AF19 FA27 possible
2F94 to circumvent
998D FDB5 DE3D F8B5 the06E4
security
A169provided
4E46 by this

tai
password - if you forget the password, you should have to replace the hard drive. This is

re
probably the single most important of the computer's hardware protections - even if
someone steals the laptop, they should not be able to gain access to the data stored on the

or
hard drive through conventional means - i.e., even moving the hard drive to a different

th
computer will not provide access to the data stored on the hard drive. Take Care when
assigning this password! Both the user and the system administrator should have this
Au
password.
2,

Security Screw for the Hard Drive


00
-2

On some laptops, where there is easy external removal of the hard drive, manufacturers
often offer a special security screw to replace the stock, easy-to-remove coin screw. This
00

will help make removal of the hard drive much more difficult if someone gains physical
20

access to the laptop. This screw has a key which should be held by the administrator.
te

Hardware Locks
tu

Make sure that the laptop has a provision for a hardware lock of some type. Especially
sti

helpful are hardware locks which have motion sensors to detect excessive movement of
In

the computer. The user and the System Administrator should both have a copy of the key
or know the combination to the hardware lock.
NS

Dell and IBM both offer all of these types of protection in their laptop lines. I was not
SA

able to confirm Toshiba's security offerings.


©

Debian Operating System Installation

Now that you've selected your hardware, its time to install Debian. Obtain the latest
version of Debian from the ftp site -ftp://ftp.us.debian.org/debian/
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Installation should be done while not connected to the network.

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
One important point to consider before starting is disk encryption. This web site
http://munitions.polkaroo.net/dolphin.cgi?action=render&category=0503 offers many
options for disk encryption. While disk encryption is a good idea, many of the current
implementations do not seem stable enough for real-time deployment. It may be better to

s.
encourage the user to encrypt their data files using GPG or PGP until this technology has

ht
come of age.

rig
First Thing's First - Partitioning the Hard Drive

ull
The proper way to partition a Unix or Linux system is a heated debate. I found so many

f
conflicting opinions on this subject when researching this paper that I am reluctant to

ns
recommend
Key any= one
fingerprint AF19method exclusively.
FA27 2F94 Use DE3D
998D FDB5 your best
F8B5judgment on this,
06E4 A169 4E46taking into

tai
account the role of the system and the user's needs. Whatever you decide to do, be sure

re
to document the partition table you set up.

or
Installing the Operating System and Device Driver Modules, Base System Configuration

th
Most of the defaults will do for this section of the installation. If you wish to enable
Au
NTFS, MSDOS or Samba filesystem support, you can do so under the filesystem device
driver module.
2,
00

You will also be asked to set the hostname of the computer, install and configure the base
-2

system (setting the time zone and hardware clock), and to make Linux bootable (install
LILO). After these selections are complete, the system will reboot. Upon reboot, you
00

will be asked if you would like to enable MD5 passwords and install shadow passwords.
20

Answer yes to both of these - they help to secure your user password database by using a
stronger encryption algorithm and locating the passwords in a root-only accessible file.
te
tu

Next, you will be prompted to set the root password and create a user account. You will
want to create a user account for the end user of the system, as well as an account for the
sti

system administrator.
In

Selecting Packages to Install


NS

There are literally thousands of applications that come with the Debian operating system.
SA

Some of the important security-related packages already come installed by default - TCP
Wrappers, lprng, and lsof, to name a few. While it is often recommended to not install a
©

development environment to limit exposure, many of the programs which the user will
need to be productive are open-source, and may not come in binary format. If you have a
duplicate environment available on which to compile the programs the user will need,
you can set the laptop up without a development environment, and copy over binaries
compiled
Key on the= other
fingerprint AF19machine.
FA27 2F94If 998D
this isFDB5
not feasible, you can
DE3D F8B5 remove
06E4 A169 the development
4E46
libraries and compilers after the system is configured. Following are the recommended

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
packages to remove or install that have security concerns related to this specific scenario
- you will need to evaluate other packages as necessary for your environment and the
user's specific needs:

REMOVE:

s.
ht
telnet & telnetd - Secure Shell will be used for remote access

rig
finger & fingerd - numerous known security vulnerabilities
nfs-common & nfs-server - numerous known security vulnerabilities

ull
talk & talkd - not necessary, known security vulnerabilities
ftpd - unnecessary, this system will not function as a file server, numerous known

f
security vulnerabilities

ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
ADD:

re
acct - GNU accounting utilities for login and process accounting

or
sudo - enable users to execute a command as another user

th
syslog-ng - provides advanced system logging, adding features that syslogd doesn't
support (configurability, filtering based on content, message integrity/encryption, etc.)
Au
logcheck - looks for anomalies in the system logs and emails them to the administrator
ampd - improved power management for laptops
2,

makepasswd - used to generate true random passwords using /dev/random. Can also
00

encrypt plaintext passwords given on the command line


-2

The ftp client must be installed to enable use of the Debian operating system update
00

module, apt-get.
20

Kernel
te
tu

Because Debian is a complete operating system, the release cycle takes a bit longer than
other standard Linux distributions. As a result, the kernel in the latest Debian release
sti

may be a bit outdated. The current release at the time of writing, 2.2r2 - code named
In

'potato' (all of the Debian releases are named after 'Toy Story' characters), uses the
2.2.18pre21 kernel. To obtain the latest kernel-level security fixes, you will want to
NS

compile the latest kernel after installing Debian. Be sure to backup your kernel before
recompiling. See Section 8.5 at http://www.debian.org/releases/potato/i386/ch-post-
SA

install.en.html for information on doing this 'the Debian way'. Also see
http://www.fs.tum.de/~bunk/kernel-24.html for information on running the 2.4 kernel
©

with the latest release of Debian.

Securing Network Services

The fingerprint
Key first step after installation
= AF19 will 998D
FA27 2F94 be to secure
FDB5 the network
DE3D F8B5services.
06E4 A169Nmap
4E46is used here
to scan for open ports, but there are numerous other utilities available for this. See

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Appendix A for a listing of other security tools. Here is a list of the open ports reported
by nmap after an installation as described above:

# nmap -sT -sU 127.0.0.1

s.
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )

ht
Interesting ports on testsystem (127.0.0.1):

rig
(The 3067 ports scanned but not shown below are in state: closed)

ull
Port State Service
9/tcp open discard

f
9/udp open discard

ns
13/tcp open daytime
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
37/tcp open time

re
98/tcp open linuxconf
111/tcp open sunrpc

or
111/udp open sunrpc

th
113/tcp open auth
143/tcp open imap2 Au
177/udp open xdmcp
512/tcp open exec
2,

513/tcp open login


00

514/tcp open shell


-2

515/tcp open printer


1024/tcp open kdm
00
20

Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds


te

To disable unnecessary services, start with inetd. The configuration file for inetd is
tu

located in /etc/inetd.conf . None of the services started in inetd by default are needed for
this setup. To disable inetd, you can either comment out the /etc/inetd.conf, or comment
sti

out, rename or remove the /etc/init.d/inetd script that is called by the /etc/rc#.d runlevel
In

scripts. In addition, you will want to entirely comment out or remove the portmap script
in /etc/init.d .
NS

After disabling inetd and commenting out or deleting the portmap script, nmap should
SA

only report the following open ports:


©

# nmap -sT -sU 127.0.0.1

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )


Interesting ports on testsystem (127.0.0.1):
(Thefingerprint
Key 3078 ports=scanned but not
AF19 FA27 shown
2F94 998Dbelow
FDB5areDE3D
in state:
F8B5closed)
06E4 A169 4E46
Port State Service

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
177/udp open xdmcp
515/tcp open printer
1024/tcp open kdm
6000/tcp open X11

s.
Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds

ht
rig
Delete the Berkeley 'r' services and rpc utilities entirely - these services have numerous
know security vulnerabilities and will not be used.

ull
# cd /usr/local/bin

f
# rm rcp rgrep rjoe rlogin rpcgen rpcclient rsh rstart rstartd rpcinfo

ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
Set the default login to be text only, not X, using linuxconf.

re
Securing LILO

or
th
Next you will want to password - protect LILO, the Linux Loader. This can be done
either by manually editing the /etc/lilo.conf or from linuxconf. If doing this by manually
Au
editing the /etc/lilo.conf file, you will want to add the following lines after the prompt
line:
2,
00

password = <your_password_here>
-2

restricted
00

Be sure to set the permissions for the /etc/lilo.conf file to 0600 since the password will be
20

saved in clear-text.
te

chmod 0600 /etc/lilo.conf


tu

Setting Password and Login Policies


sti
In

You will want to specify some basic password and login policies - such as setting a login
banner message, logging all su logins, minimum password length, minimum non-alpha
NS

characters in the password, and setting up the maximum number of days a password can
be used to login. Again, this can be done either manually at the command line, or from
SA

linuxconf. If you prefer doing this from the command line, here is how you go about
doing so:
©

First, create an /etc/issue file to display a message before login. Something simple is
usually best, but this is determined by your company's security policy :

"Employees
Key of =XYZ
fingerprint Corporation
AF19 FA27 2F94only.
998DUnauthorized
FDB5 DE3D access prohibited.
F8B5 06E4 All connection
A169 4E46
attempts are logged."

10

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Next, edit the /etc/login.defs file:

# vi /etc/login.defs

s.
The /etc/login.defs file has several options which can be tweaked to provide extra

ht
protection - here are a few recommended settings:

rig
SULOG_FILE /var/log/sulog

ull
ISSUE_FILE /etc/issue
UMASK 077

f
PASS_MAX_DAYS 60

ns
Key fingerprint = AF19 FA27 62F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
PASS_MIN_LEN

tai
PASS_WARN_DAYS 5

re
There are other ways to implement password expiry - passwd and chage can also be used.

or
th
# passwd -x 60 -w 5 username
OR Au
# chage -M 60 -W 5 username
2,

These commands will expire the password for username after 60 days, giving a warning
00

for 5 days prior to expiration.


-2

To generate strong passwords, use the makepasswd program installed to generate true
00

random passwords for the user, admin, and root. If you specify a -minchars of 8, the
20

password will be at least 8characters:


te

# makepasswd -minchars 8
tu

x8xit5Hk
sti

You will also want to remove unnecessary accounts created during installation. Again,
In

this can be done from linuxconf or from the command line by using the userdel
command. Do a sanity check first and see if the user owns any files:
NS

# find / -user username_or_ID -print


SA

To remove a user, use the userdel command:


©

# userdel -r username

The -r option will remove all files in the user's home directory.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Some user candidates for this are games, majordomo, www-data, gnats, operator, list, irc,

11

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
uucp, proxy, msql, alias, and possibly news.

Next, you will want to set login access controls on the remaining users. This is done in
the /etc/security/access.conf file. I couldn't possibly write a better explanation of how to
configure the file than was already in the file itself, so here's an excerpt of the top of the

s.
file:

ht
rig
#Format of the login access control table is three fields separated by a
# ":" character:

ull
#
# permission : users : origins

f
#

ns
# Thefingerprint
Key first field=should
AF19 be a "+"
FA27 (access
2F94 998Dgranted) or "-" (access
FDB5 DE3D denied)
F8B5 06E4 A169 4E46

tai
# character.

re
#
# The second field should be a list of one or more login names, group

or
# names, or ALL (always matches). A pattern of the form user@host is

th
# matched when the login name matches the "user" part, and when the
# "host" part matches the local machine name. Au
#
# The third field should be a list of one or more tty names (for
2,

# non-networked logins), host names, domain names (begin with "."), host
00

# addresses, internet network numbers (end with "."), ALL (always


-2

# matches) or LOCAL (matches any string that does not contain a "."
# character).
00
20

Here are examples of restrictions recommended for this file:


te

This will disable all logins to the console except by the admin and root:
tu

-:ALL EXCEPT admin root :console


sti
In

Disable remote root logins:


NS

-:root:ALL EXCEPT LOCAL


SA

NTP
©

NTP, network time protocol, is required to ensure that accurate time is kept on the
system. Why is this SO important? Well, simply put, forensics. If your logs are out of
time sync with the server's logs, it will be difficult if not impossible to prosecute in the
event of a compromise. In addition, many important security software, such as Kerberos
and most
Key certificate
fingerprint = AF19authorities,
FA27 2F94 depend
998Don accurate
FDB5 DE3Dtime.
F8B5You want
06E4 A169to 4E46
ensure that you
are running an NTP server internally at your network, and you will want to make

12

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
provisions for laptop users to use the NTP client to sync their clocks with yours. This
web site http://www.eecis.udel.edu/~ntp/ntp_spool/html/build.htm has a very good
tutorial on how to do a basic setup of NTP. It is outside the scope of this guide to discuss
how you would set up NTP within your organization. If you would like to read more
about security and NTP, see RFC1305: ftp://sunsite.doc.ic.ac.uk/rfc/rfc1305.txt , section

s.
3.6.

ht
rig
To install NTP on the laptop, obtain the source code from:
http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/

ull
Compilation is the standard:

f
ns
$ ./configure
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
$ make

re
# make install

or
And you will want to configure your /etc/ntp.conf file as follows:

th
server IP_of_1st_ntp_server Au
server IP_of_2nd_ntp_server
server IP_of_3rd_ntp_server
2,
00

driftfile /etc/ntp.drift
-2

restrict default nomodify


00
20

Generally speaking, you will want to have more than one server listed for redundancy.
te

Logging
tu

Logging is essential to security administration. Logs are one of the most important
sti

places where you will find the trail of clues, should you ever find your system the victim
In

of an attack, needed to determine the method of attack. Logs can also be used as evidence
if you are able to prosecute.
NS

When choosing to setup syslog-ng at installation-time, Debian very nicely sets up


SA

logging and log rotation for you. You will simply want to review the settings and ensure
that they are as desired for your environment, and add your email address to the syslog-
©

ng logrotate script.

syslog-ng is configured by default with all the settings that you should need, including
defaults to log kern, err, and warn messages. You can also specify filters using syslog-ng.
See the
Key man page
fingerprint for syslog-ng
= AF19 for998D
FA27 2F94 more FDB5
information
DE3Don this.06E4
F8B5 TheA169
configuration
4E46 file for
syslog-ng is /etc/syslog-ng/syslog-ng.conf

13

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
logrotate is also already setup, including cron jobs to run it daily and weekly - located,
appropriately enough, in /etc/cron.daily and /etc/cron.weekly . You may need to edit
these to also rotate the sulog. Add the administrator's email address to the top of the
/etc/logrotate.d/syslog-ng as follows:

s.
ht
mail admin@xyz.corp.com

rig
errors admin@xyz.corp.com

ull
This will email admin@xyz.corp.com with the compressed log files, as well as any
errors. It is also recommend that you set up a log server within your company's network,

f
if you haven't done so already, and have the laptop log to that. Another good idea is to

ns
scan fingerprint
Key your logs =using
AF19aFA27
program
2F94like Psionic'
998D FDB5s Logcheck
DE3D F8B5 - which checks4E46
06E4 A169 your logs for

tai
anomalies and will email you with alerts. This can help to reduce the amount of data that

re
you will need to sift through, but will require an initial time investment to tweak the
settings to reduce false alarms. There are many other log scanners that you can use. See

or
Appendix A for a list of security tools.

th
Remote System Administration, File Access (Copy and Transfer) and E-mail using
Au
Secure Shell
2,

Since the system will be operated remotely for at least part of the time (hence the need
00

for a laptop in the first place), you will want to be able to securely administer the machine
-2

from a remote location. Secure Shell accomplishes this nicely, as well as having other
useful features, such as scp, sftp (for remote file copy and transfer) and tunneling (which
00

will be used to provide the user with secure remote email access).
20

Installation
te
tu

You can obtain Secure Shell in source code from ftp://ftp.ssh.com/pub/ssh. Secure Shell
is free for use under a non-commercial license under Linux, NetBSD, FreeBSD, and
sti

OpenBSD. Secure Shell 2.4 is the latest version. SSH1 has been officially deprecated
In

due to fundamental security vulnerabilities, and its use is not recommended. See
http://www.ssh.com/products/ssh/cert/ and http://www.cert.org/ for information about
NS

these vulnerabilities.
SA

You will need to have Secure Shell installed on both the laptop and on an internal server
which allows connections from outside your network. Remember to open port 22 on
©

your firewall to allow Secure Shell connections from your remote users.

It is recommend to set up Secure Shell to support TCP Wrappers at a minimum (--with-


libwrap). Even though Secure Shell offers user and host restrictions in the server
configuration
Key fingerprintfile, it is easier
= AF19 to have
FA27 2F94 a central
998D FDB5 place
DE3Dfrom
F8B5which
06E4to administer
A169 4E46 user and
host restrictions. You can also take advantage of TCP Wrappers' advanced logging

14

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
features.

On the internal Secure Shell server, you may want to chroot users to restrict shell and sftp
access. This decision (and how you go about setting this up) depends on your network
security policies, and also whether the users need access only to their own files, or if they

s.
need to share files with other users. Keep in mind that as of version 2.4, chrooting for

ht
Secure Shell is only supported on Linux, AIX and Tru64, and is known to not work on

rig
Solaris or HP-UX. The operating system of your server will be a deciding factor in this
decision. A chrooted environment can be established only if static builds can be made,

ull
when no shared libraries are used. See Appendix B for more information on setting up
chrooting with Secure Shell.

f
ns
See the
Key README
fingerprint that FA27
= AF19 comes2F94
with 998D
the distribution
FDB5 DE3D for F8B5
complete
06E4installation
A169 4E46 instructions,

tai
as well as the online administrator's guide and Appendix B.

re
Setting up the Secure Shell daemon to Start on Boot

or
th
As an administrator, you want the Secure Shell daemon to start at boot time so that you
can connect to it if you need to do any remote system administration. Secure Shell comes
Au
with a startup script, sshd2.startup, for SYS-V style operating systems (it was specifically
written for Linux). This should work fine for the Debian laptop, but you may need to edit
2,

this for the company's internal Secure Shell server, depending on the operating system.
00

For the laptop, to start the Secure Shell daemon at boot time, copy the sshd2.startup script
-2

(should be in the source directory after installation) into the /etc/init.d directory. Create
symbolic links to the sshd2.startup script in the /etc/rc#.d directories to start (S#) or stop
00

(K#) the sshd2 daemon. The # designates the order that the scripts in the rc#.d directories
20

are started - the higher the number, the later in the boot (or shutdown) process the script
is run. For example:
te
tu

# ln -s /etc/init.d/sshd2.startup /etc/rc#.d/K90sshd2
sti

for /etc/rc1.d and /etc/rc6.d and


In

# ln -s /etc/init.d/sshd2.startup /etc/rc#.d/S90sshd2
NS

for /etc/rc2.d, /etc/rc3.d, /etc/rc4.d, and /etc/rc5.d


SA

will setup the Secure Shell daemon, sshd2, to start and stop properly on boot and reboot
©

on a Debian system.

Authentication

Secure
Key Shell is= configured
fingerprint AF19 FA27 to use998D
2F94 password
FDB5 authentication
DE3D F8B5 06E4 by default. Unless your
A169 4E46
company already uses a different method for authentication such as PAM, Kerberos or

15

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
RSA SecurID, the recommendation is public key authentication for both the administrator
connecting to the laptop to administer the computer, and for the user authentication to the
company's Secure Shell server for remote email and file access.

Setting up public key authentication is fairly simple. Do this in one direction first, then in

s.
the other, to avoid confusion. See Appendix B for information on which authentication

ht
methods are supported, and Appendix C for instructions on setting up public key

rig
authentication in Secure Shell.

ull
Setting up Local Tunnels for E-mail

f
Secure Shell has the ability to tunnel TCP ports through the secure connection, to the

ns
destination
Key application
fingerprint = AF19server specified.
FA27 2F94 998DThis
FDB5is DE3D
a very F8B5
useful06E4
feature,
A169and4E46
is what will be

tai
used to secure the user's email on the laptop. You will want to set up local tunnels from

re
the client machine for port 25 for smtp, and port 110 for pop or 143 for imap. Local
tunnels 'p ush' connections from the local port specified, through the Secure Shell server,

or
to the application server on the port specified. Keep in mind that while the connection

th
between the Secure Shell client and Secure Shell server is secure, the connection between
the Secure Shell server and the application server is not secured. Plan your network
Au
accordingly.
2,

Since the ports used for email are privileged ports (25, 143, and 110), the user must start
00

ssh as root, or they will not have adequate permission to forward the ports. You can
-2

setup tunnels from the command line:


00

# ssh2 -L 4025:smtp_server:25 user_name@ssh_server


20

but the best way to setup tunnels for repeated use such as for email is through the config
te

file - /etc/ssh2/ssh2_config:
tu

# Tunnels that are set up upon logging in


sti
In

LocalForward "25:smtp.xyz.corp.com:25"
LocalForward "143:imap.xyz.corp.com:143"
NS

Note that the arguments must be enclosed in double quotes ""


SA

Once the tunnels are setup in the config file, the user will still have to execute ssh2 as
©

root in order to access email, but the command is much shorter:

# ssh2 user_name@ssh_server

Nextfingerprint
Key setup the =mail
AF19client to point
FA27 2F94 to 127.0.0.1
998D FDB5 for smtp
DE3D and 06E4
F8B5 imap A169
servers. Secure Shell
4E46
will capture the connections to ports 25 and 143 and forward the connections to the smtp

16

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
and imap servers at XYZ Corp.

Tightening up Access to Secure Shell

There are many restrictions you can set in the server config file to limit access to Secure

s.
Shell on both the server and on the laptop. Following are the recommendations for the

ht
laptop /etc/ssh2/sshd2_config file:

rig
MaxConnections 2

ull
This will limit the number of connections to the sshd2 daemon to 2. As only the

f
administrator should be connecting to the laptop, this is more than sufficient. The default

ns
on this
Key is unlimited.
fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
re
RekeyIntervalSeconds 3600

or
This tells the server to re-exchange and verify hostkeys after the specified number of

th
seconds. This provides an extra level of security against hijacking Secure Shell sessions
and man-in-the-middle attacks - but be careful with this one! If the client you are using
Au
to connect does not support re-keying, you will be disconnected after the specified
number of seconds. By default this is commented out, but if your Secure Shell clients
2,

support re-keying, it is a good idea to enable this.


00
-2

PermitEmptyPasswords no
00

This will prevent users with NULL passwords from connecting. This is commented out
20

by default.
te

BannerMessageFile /etc/issue.net
tu

This displays the /etc/issue.net banner before login. This is commented out by default.
sti
In

AllowedAuthentications publickey,password
NS

This specifies the authentication methods allowed when connecting to the sshd2 daemon.
SA

PermitRootLogin no
©

This prevents direct root logins, which will require the administrator to su for root access
when connecting via Secure Shell. This is set to yes by default.

AllowUsers admin, user


Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
This will allow in only users admin and user, and will deny login via Secure Shell to

17

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
everyone else.

Email and File Confidentiality

The best way for your users to retain email and file confidentiality is through the use of

s.
GPG or PGP for encryption. Many programs, such as StarOffice by Sun Microsystems

ht
(used to write this guide), offer pgp plug-ins for encryption of files and emails.

rig
StarOffice does require Java to be installed before the pgp plug-in will work. Make sure
your users keep a backup copy of both their public and private keyrings. Encourage

ull
through policy and education the use of GPG or PGP by your users.

f
'Defensive' Security Measures

ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
Defensive Security measures refers to using available software and good system

re
administration practices to protect the system from attackers attempting to gain access
and from copying, altering, or deleting important data.

or
th
TCP Wrappers
Au
TCP Wrappers enables you to set access controls on network services with the use of two
files - /etc/hosts.deny and /etc/hosts.allow . TCP Wrappers also has some very nice
2,

logging features. Because we have already disabled all network services except for
00

Secure Shell, and compiled Secure Shell with TCP Wrappers support, your
-2

/etc/hosts.deny and /etc/hosts.allow files should look like this:


00

/etc/hosts.deny
20

ALL:ALL
te

/etc/hosts.allow
tu

sshd2:.xyz.corp.com
sshdfwd-X11:.xyz.corp.com
sti
In

This denies access to everyone, then allows access only to those specified in the
/etc/hosts.allow - anyone from the xyz.corp.com domain, in this case.
NS

Packet Firewall - IPChains


SA

Configuring a packet firewall on this machine is essential to keeping out intruders. This
©

will be the primary defense for this laptop when it is connected remotely. The Linux
ipchains How-To is located here: http://www.linux.org/docs/ldp/howto/IPCHAINS-
HOWTO.html . This goes into nauseating detail on how to install and configure
ipchains, as well as having several example configurations. An alternative example script
which
Key is best suited
fingerprint to this
= AF19 FA27scenario is the FDB5
2F94 998D one in DE3D
the "Securing Linux
F8B5 06E4 Step-by-Step"
A169 4E46 guide
available from www.sans.org, in Appendix D. This script is very well commented,

18

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
enabling ease of administration.

Psionic Portsentry

Portsentry is used to detect port scans, and can take configurable action on the scanning

s.
host. You can do all kinds of fun things with Portsentry - such as automatically adding

ht
any scanning host to /etc/hosts.deny, , displaying a banner message to the scanning host,

rig
executing a command directed at the $TARGET$ host, or simply dropping, denying, or
killing the route to the scanning host. This last is the recommended course of action.

ull
Since we've already added ALL:ALL to the /etc/hosts.deny, it is not necessary to add
every scanning host to that file, and executing a command or issuing a warning banner on

f
a scan attempt can taunt a hostile scanning host, and cause retaliatory action.

ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
Here is the line you'll want to uncomment in your portsentry.conf:

re
KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"

or
th
Tripwire
Au
Tripwire is used to detect changes in files. When you initialize Tripwire, it builds a
database of the files on your hard drive. If any of those files is changed, and Tripwire is
2,

run again, you will receive a notice that the file has changed. This is helpful to detect
00

changed binaries - for example, if your ls command has been substituted with a trojaned
-2

version, Tripwire will detect this. Tripwire also detects permission changes on files.
Tripwire should be the last software you install before turning the system over to the user.
00

You will want to make sure there is a backup of the Tripwire database on non-changeable
20

media such as CD-R. Every time an update is applied to the system, you will want to
rebuild the Tripwire database.
te
tu

You build your Tripwire Database like this (from the directory where Tripwire is
installed):
sti
In

# ./tripwire --initialize
NS

Change the permissions on some files, and perhaps copy a binary from a different
machine over to this one (rename the original first, of course), then run Tripwire:
SA

# ./tripwire
©

Tripwire will report all the changes made since the last database was created.

Updating using apt-get


Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
apt-get is the Debian answer to obtaining the latest updates for your system. Apt-get is

19

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
configured in the /etc/apt/apt.conf file. Apt-get uses /etc/apt/sources.list to list locations
where updates are obtained. The following web site has a list of 'unofficial' sources, in
addition to the 'official' Debian ones pre-configured:
http://www.internatif.org/bortzmeyer/debian/apt-sources/
Take care using these sites - they are not sanctioned by Debian and you may want to

s.
ensure that you can trust the sources before installing any software obtained from these

ht
sites.

rig
You can configure apt-get using apt-setup. apt-setup will ask you for sources to add to

ull
the /etc/apt/sources.list .

f
The first thing to do when running apt-get is to resynchronize the package overview files:

ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
# apt-get -update

re
Next, you'll want to upgrade to the updated packages:

or
th
# apt-get -upgrade

If you only want to upgrade a specific package:


Au
2,

# apt-get -install package_name


00
-2

If you want to automate this (recommended), write a simple shell script for apt-get -
update and apt-get -upgrade and place both of these scripts in /etc/cron.daily or
00

/etc/cron.weekly, depending on how often you would like to update. Weekly should be
20

sufficient for most applications.


te

You will also want to ensure that whoever the administrator for the laptop, they are
tu

subscribed to the security lists for Debian. You can find information about Debian and
security at the following address: http://www.debian.org/security . SANS also has a
sti

very good security digest you can subscribe to where you can chose which operating
In

system flavor you would like to receive security updates on (for Debian chose Linux):
http://www.sans.org/sansnews
NS

Backup, Backup, Backup


SA

I personally experienced the immense value of backups AGAIN while working on this
©

document. StarOffice crashed on me (emulating M$ Office a little too well there :), and
when I reopened the document, it was corrupted. I would have lost the entire thirty-four
page document if not for a backup that was made the previous day. Even with daily
backups, however, I lost all the changes that had been done that day. I was not a happy
camper.
Key Imagine
fingerprint you user'
= AF19 s state
FA27 2F94of998D
mindFDB5
if theyDE3D
lose weeks or months
F8B5 06E4 A169of work because
4E46
they do not have a current backup. Don't wait for that frantic call before instituting a

20

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
backup policy. Another benefit is the ability, through backups, to determine exactly how
and when a compromise took place.

How you go about doing backups on this laptop will vary greatly depending on your
user's habits. If your user is in the office most of the time, and only occasionally on the

s.
road, you are probably safe using a networked backup method. Legato and HP-

ht
Openview both offer a free Linux backup client if your company already has the server

rig
software, although it is not supported by either company. If your user is mostly on the
road, however, your backup method will get a bit more complicated. Your user's method

ull
of connecting to the internet can also play a part here - you do not want to send the
backups of your user's home directory over a modem connection to a file server inside

f
your company network, but if your user connects using DSL, this is a valid option.

ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
Other options here are external tape drives, CD-R drives, and perhaps even a backup

re
server at the user's home if the user usually works from home. Some laptops have the
ability to add a second hard drive to the system. This is a very good way to maintain a

or
mirror of the main hard drive should anything happen. If choosing a method which

th
involves any type of transmission over a network, ensure that the connection is secured.
Also make sure that the method is automated, through cron jobs usually, preferably in
Au
such a manner as to not interfere with the user's regular schedule.
2,

You will want to do a full backup of the system after all installations and configurations
00

are done, before turning over the laptop to the user, and again after any major system
-2

updates, as well as on a monthly schedule. Incremental backups are recommended on a


daily basis. Make sure that you also test your backup schedule and the backups
00

themselves by restoring them before turning the laptop over to the user.
20

tar (short for tape archive) is the most common method of compressing and archiving
te

data. This command will backup and compress the user's home directory:
tu

# tar czf /tmp/home_user.tgz /home/user_name


sti
In

This file can then be copied to some other media or to a server on the company's network.
Because it was created in the /tmp directory, it will be removed upon shutdown, thus not
NS

using up needed hard drive space.


SA

See http://www.debian.org/doc/manuals/system-administrator/ch-sysadmin-backup.html
for more information.
©

'Offensive' Security Measures

'Offensive' security measures means taking steps which will help you to assess the
system's
Key vulnerabilities
fingerprint before2F94
= AF19 FA27 an attacker does.DE3D
998D FDB5 This F8B5
includes applying
06E4 the same tools
A169 4E46
the hackers use - such as nmap, as used above, to determine which ports are open, tiger,

21

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
tara or sara, nessus, and password cracking programs. This type of testing is a good
sanity check on your security measures, and may catch some things you've missed. In
general, you will want to install these tools on a different machine, and run them against
laptop.xyz.corp.com for a better idea of the true vulnerabilities on the system.

s.
Nmap

ht
rig
Nmap is a port scanner. Nmap supports many different types of scans, TCP, UDP, TCP
SYN (half open), proxy, ICMP, as well as many others. Nmap is be used to conduct

ull
scans on the target system to determine which attack on which ports may be viable. In
the section earlier on Securing Network Services, there are two examples of nmap scans

f
against the test Debian system.

ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
Nmap's syntax is very easy to understand. To run a scan on all TCP and UDP ports, you

re
would issue the following command as root:

or
# nmap -sT -sU laptop.xyz.corp.com

th
See man nmap for more information. Au
Tiger, Tara, SATAN, SAINT, Sara, and Nessus
2,
00

There is no shortage of vulnerability scanners to choose from. Understanding the


-2

relationships between them can help you choose which would best suit your environment.
There are links to all of the scanners mentioned here in Appendix A.
00
20

Tiger is a program which checks for basic security problems on a Unix system. Tara is
an updated version of Tiger.
te
tu

SATAN is another software designed to probe for security vulnerabilities. SATAN has
not been updated in some time, which limits it's ability to effectively test for current
sti

threats. SAINT is an expansion on the SATAN project. The original author of SAINT
In

now works for ARC, and the result is a new vulnerability scanner called Sara, an
evolution of the SATAN and SAINT projects.
NS

Out of all of the vulnerability scanners reviewed, the one which was easiest to use and
SA

easiest to keep up-to-date was Nessus. Nessus functions in client / server mode, and has
a GTK interface, for ease of use and administration. Each of the security tests in Nessus
©

are designed as plug-ins, which enables you to write your own security checks if desired,
and which enables easy updating of Nessus. When checking the plug-ins page at
www.nessus.org, ten plug-ins were added between March 25th and April 2nd -
demonstrating that the software is under current, active development. Most interesting of
all, however,
Key fingerprintwas that while
= AF19 FA27the software
2F94 was free
998D FDB5 of charge
DE3D to anyA169
F8B5 06E4 users,4E46
the developers
also offer professional, commercial support for the product - immensely valuable if you

22

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
plan to roll this out across your entire network. The commercial support even includes
twenty-four custom plug-ins per year, and minor customizations to the software, if
desired.

Password Cracking Programs

s.
ht
Password cracking programs are a good idea if you do not use the makepasswd utility to

rig
generate random passwords. This can help ensure that the passwords that are chosen are
not easily broken. Keep in mind that any password can be cracked eventually - your goal

ull
here should be to weed out the EASILY cracked passwords.

f
Some of the most common password cracking programs are crack, John the Ripper, and

ns
Nutcracker.
Key In =general,
fingerprint the larger
AF19 FA27 the dictionary,
2F94 998D FDB5 DE3D the better the chances
F8B5 06E4 are of cracking
A169 4E46

tai
the password. http://www.password-crackers.com/crack.html In addition, if you

re
implement PAM on the system, you can use the password strength checking module
listed here: http://www.openwall.com/passwdqc/

or
th
User Education
Au
User education is probably the single most important thing you can do to protect this
system. Securing any machine is useless unless you educate the end user on why the
2,

security is needed, what the policies are, and what they can do to limit exposure. As this
00

is a laptop, and will be operated remotely, your user will be on their own for a portion of
-2

their time - without anyone around to verify that they are actually using that Kensington
lock you provided. The single greatest point of failure of any security policy is personnel
00

- get yours on your side through education. Most users will cooperate if they understand
20

how important these measures are, and why they must take the time to enter several
passwords to boot the computer.
te
tu

Some topics to be sure to cover with your users:


sti

Passwords
In

Why passwords are important


NS

Why you need multiple passwords


Why all your passwords should NOT be the same
SA

What make good and bad passwords


How to choose a good password (or why to use one generated with makepasswd)
©

Password management (for a single user, the best method for this might be a PGP
encrypted text file, saved on removable media, not the hard drive)

Hardware Protection
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Impress how vulnerable laptop computers are to theft

23

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Show the user how to enter the BIOS Poweron and Hard drive Passwords
Show the user how to use the hardware locks provided
Advise the user to remove, if possible, removable media drives before traveling

Backups

s.
ht
Explain why backups are so necessary, both to protect data and as forensic evidence

rig
Explain what they can do to ease backup administration (save user files only in a specific
directory, notify the administrator if an update is applied so that a full backup can be

ull
made, etc)
Backup before installing any major software packages or updates

f
Why not to cancel the regularly scheduled backups

ns
If something
Key goes
fingerprint = AF19wrong with 998D
FA27 2F94 the scheduled
FDB5 DE3D backups, notify
F8B5 06E4 A169the4E46
administrator

tai
immediately

re
Other Good Practices

or
th
Don't leave your laptop logged on without setting a screen saver password AND using
the hardware lock Au
Don't circumvent any of the established security practices
Have the user review RFC2504 - http://www.faqs.org/rfcs/rfc2504.html
2,

Make sure the user has a copy of your laptop security policy, and make sure you have a
00

signed copy from them showing that they understand the policy, and agree to comply
-2

with the terms.


00

Conclusion
20

While perfect laptop security can never be achieved, there are steps which can be taken to
te

minimize the risks faced when connecting to the internet, as well as those faced when
tu

using a portable, easy-to-steal computer. These steps include disabling unused services,
setting login and password policies, and employing strategies to help defend against
sti

attacks, as well as using the hacker's own tools to do a vulnerability assessment. The
In

single most important part of any security plan, however, is user education. Explain to
your users the threats, and what they can do to help. This can help turn your single most
NS

dangerous security risk into an asset.


SA
©

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

24

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Checklist - Securing a Debian Linux Laptop for Road Warriors
Laptop prepared for __________________________________
Laptop prepared by __________________________________
Date _________

s.
ht
Choosing the Right Laptop

rig
Laptop chosen supports the following:

ull
____ BIOS poweron password
____ BIOS supervisor password

f
ns
____ Hard drive password
Key
____fingerprint = AF19
Security screw forFA27
hard 2F94
drive 998D FDB5
if drive DE3D F8B5
is externally 06E4 A169 4E46
removable

tai
____ Hardware lock - Kennsington-type or motion-sensitive (preferred)

re
____ IMPORTANT - make sure that all of the above passwords and locks are set and

or
used!

th
_________ Laptop Manufacturer
_________ Laptop Model Number
Au
_________ Laptop Serial Number
2,
00

Operating System Installation


-2

____ Make sure laptop is not connected to the network during installation
00

____ Document partition scheme:


20

Run the following commands and report the output here:


# fdisk /dev/hda
te

Using /dev/hda as default device!


tu

Command (m for help): p


sti
In
NS
SA
©

____ Enable MD5 passwords


Key
____fingerprint = AF19
Install shadow FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
passwords
____ Set root password

25

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
____ Create user and admin accounts

Package Selection

Remove the following packages:

s.
ht
____ telnet & telnetd - Secure Shell will be used for remote access by admin only

rig
____ finger & fingerd - numerous known security vulnerabilities
____ nfs-common & nfs-server - numerous known security vulnerabilities

ull
____ talk & talkd - not necessary, known security vulnerabilities
____ ftpd - unnecessary, numerous known security vulnerabilities

f
ns
Add fingerprint
Key the following packages:
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
re
____ acct - GNU accounting utilities for login and process accounting
____ sudo - enable users to execute a command as another user

or
____ syslog-ng - provides advanced system logging

th
____ logcheck - looks for anomalies in the system logs and emails them to admin
____ ampd - improved power management for laptopsAu
____ makepasswd - used to generate true random passwords using /dev/random
2,

You will most likely have to add other packages as necessary depending on the user's
00

needs. If the applications that come with the distribution are not the latest version, obtain
-2

and install the latest versions. Document the applications added and the version numbers
here:
00
20
te
tu
sti
In
NS
SA

Kernel
©

If the latest version of Debian uses an outdated kernel, backup your kernel, obtain the
latest kernel and recompile. Document the kernel version here: ____________

Disabling Network Services


Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
____ Disable inetd (either from linuxconf or by commenting out /etc/inetd.conf)

26

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
____ Disable /etc/init.d/portmap script by commenting out
____ Set default boot mode to text (startx from the command prompt to start Xwindow)
____ Remove the following binaries entirely from /usr/bin: rcp rgrep rjoe rlogin rpcgen
rpcclient rsh rstart rstartd rpcinfo

s.
LILO

ht
rig
____ Password protect LILO by editing the /etc/lilo.conf or from linuxconf
____ Chmod /etc/lilo.conf to 0600

ull
Password and Login Policies

f
ns
____fingerprint
Key Set up banner message
= AF19 FA27 to display
2F94 998DforFDB5
all logins
DE3D F8B5 06E4 A169 4E46

tai
Edit the /etc/login.defs file to enable the following (these are recommended settings - set

re
these as appropriate for your environment):
____ SULOG_FILE /var/log/sulog

or
____ ISSUE_FILE /etc/issue

th
____ UMASK 077
____ PASS_MAX_DAYS 60 Au
____ PASS_MIN_LEN 6
____ PASS_WARN_DAYS 5
2,

____ Or set password to expire using passwd or chage - document max days here ____
00

____ Remove unnecessary users from the system


-2

____ Edit /etc/security/access.conf to restrict all root logins except from LOCAL and
console logins except from root or admin
00
20

NTP
te

____ Install and configure ntp client to connect to an internal ntp server
tu

Logging
sti
In

____ Review syslog-ng settings and logrotate settings, add email address to
/etc/logrotate.d/syslog-ng (if any changes are made to settings, attach a document
NS

detailing the changes to this checklist)


SA

Remote System Administration, File Access (Copy and Transfer) and Email using
Secure Shell
©

____ Install Secure Shell


____ Configure sshd2 to startup on boot
____ Set up public key authentication
____fingerprint
Key Configure= Local
AF19tunnels in /etc/ssh2/ssh2_config
FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
____ Tighten up access to the Secure Shell daemon in /etc/ssh2/sshd2_config

27

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Email and File Confidentiality

____ Install and configure pgp - encourage users to use it for file and email encryption
____ If using StarOffice, install pgp plug-in

s.
ht
'Defensive' Security Measures

rig
____ Install TCP Wrappers

ull
____ configure /etc/hosts.deny for ALL:ALL
____ configure /etc/hosts.allow for sshd2 and sshdfwd-X11 for the internal domain only

f
____ Configure IPChains as a packet firewall to filter outbound and inbound traffic.

ns
Attach
Key a copy of= the
fingerprint script
AF19 FA27used to this
2F94 998Ddocument
FDB5 DE3D F8B5 06E4 A169 4E46

tai
____ Install PortSentry

re
____ configure PortSentry to kill the route to scanning hosts
____ Install Tripwire LAST

or
____ Build a tripwire database

th
____ Store Tripwire database on non-changeable media
____ Configure apt-get for updating Debian Au
____ Setup apt-get to run weekly from a cron job
____ Subscribe to Debian Security Lists and SANS Security Digests
2,

____ Develop and deploy a backup plan. Attach a copy of the backup plan to this
00

document.
-2

'Offensive' Security Measures


00
20

____ Run nmap against the laptop. Turn off any remaining unnecessary services.
____ Run one or more vulnerability scanners against the laptop. Review the results and
te

correct any open issues. Rerun the scanner. Review the results again to ensure all
tu

vulnerabilities were addressed.


____ Run a password cracking program against the /etc/shadow file. If any passwords
sti

were recovered, regenerate the password using makepasswd and rerun the password
In

cracking program.
NS

User Education
SA

____ Educate the user on why security policies are in place, and what the security
policies are, and what they can do to minimize exposure.
©

____ Have the user sign the security policy, demonstrating understanding and
acceptance

____________________________ Your Signature, attesting to having completed the


stepsfingerprint
Key listed above
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
__________ Date

28

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Appendix A

The Missing Link(s)

s.
Log Checkers / Scanners

ht
rig
Log Scanner
ftp://logscanner.tradeservices.com/pub/logscanner/

ull
Logsurfer
http://www.cert.dfn.de/eng/logsurf/

f
Logstats

ns
http://www.cise.ufl.edu/~jfh/jst/
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
Swatch
http://www.stanford.edu/~atkins/swatch/

re
WOTS

or
http://www.tony-curtis.cwc.net/tools/
Psionic Logcheck

th
http://www.psionic.com/
Au
Port Scanners / Scan Detectors
2,
00

Psionic PortSentry
-2

http://www.psionic.com/
Nmap
00

http://www.insecure.org/nmap/
Astaro
20

http://www.astaro.com
te

Iplog
http://ojnk.sourceforge.net/
tu

Scan Detect
sti

http://sdetect.sourceforge.net/
In

Security Scanners
NS

BASS
SA

http://www.securityfocus.com/data/tools/network/bass-1.0.7.tar.gz
Nessus
©

http://www.nessus.org/index.html
SAINT
http://www.wwdsi.com/saint/
Sara
http://www-arc.com/sara/index.shtml
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SATAN
http://www.porcupine.org/satan/

29

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Tara
http://www-arc.com/tara/

Firewall / VPN Solutions

s.
FireDog

ht
http://northernlightsgroup.hypermart.net/firewalls.htm

rig
RCF
http://rcf.mvlan.net/

ull
Astaro
http://www.astaro.com/products/index.html

f
FreeSWAN Linux (IPSec)

ns
http://www.freeswan.org/
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
re
Password Utilities

or
Automated Password Generator

th
http://www.adel.nursat.kz/apg/
John the Ripper Au
http://www.openwall.com/john/
Npasswd
2,

http://www.utexas.edu/cc/unix/software/npasswd/
00

Nutcracker
-2

http://northernlightsgroup.hypermart.net/nutcracker.html
PAM module for checking passwords
00

http://www.openwall.com/passwdqc/
20

Password Cracking Library


http://www.password-crackers.com/pcl.html
te

List of Password Cracking Software


tu

(sorted by application which you want to crack)


http://www.password-crackers.com/crack.html
sti

Another List of Password Cracking Software


In

(not sorted by application you would like to crack)


http://neworder.box.sk/box.php3?gfx=neworder&prj=neworder&key=pwdcrax&txt=Pass
NS

word
SA

Debian Linux Sites


©

Home Page
http://www.debian.org/
Support
http://www.debian.org/support
Installation
Key for Intel
fingerprint = AF19x86FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
http://www.debian.org/releases/stable/i386/install.en.html#contents

30

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Compiling a new Kernel
http://www.debian.org/releases/stable/i386/ch-post-install.en.html#s-kernel-baking
Reporting Bugs
http://www.debian.org/Bugs/
Unofficial APT Sources

s.
http://www.internatif.org/bortzmeyer/debian/apt-sources/

ht
rig
Other Interesting Tools and Security Related Sites

ull
SANS
http://www.sans.org

f
Automatic Security

ns
http://www.automaticsecurityunderlinux.com/
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
Bastille (Redhat focused, but maybe they'll get to Debian soon)

re
http://bastille-linux.sourceforge.net/
Linux Tools for Toshiba Laptops

or
http://www.buzzard.org.uk/toshiba/

th
Practical Unix Security in a Networked Environment
http://www.shmoo.com/wp/pract/ Au
Secure Communication with GnuPG on Linux
http://linux.com/sysadmin/newsitem.phtml?sid=113&aid=11408
2,

LILO Security Tips


00

http://linux.com/security/newsitem.phtml?sid=11&aid=8252
-2
00
20
te
tu
sti
In
NS
SA
©

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

31

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Appendix B
SSH2 Quick Setup Reference Guide

s.
Updated March 28, 2001

ht
Table of Contents

rig
1. About this Document

ull
2. About Secure Shell

f
3. Licensing Questions Answered

ns
4. Installation
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
5. Setup for Special Circumstances
6. File Names and Locations

re
7. Authentication Methods

or
8. Configuration
9. Why NOT to use SSH1 and SSH1 Compatibility

th
10. Troubleshooting
11. Where to find help Au
2,
1. About this Document
00

This document is designed to assist administrators by explaining some of the uses and
-2

possibilities of SSH Secure Shell, by giving the sequence in which options should be
configured, and by providing a reference for where to find additional information.
00
20

This document provides background information and gives links to specific instructions
which are available on the web. This document will not reinvent the wheel: where
te

information is already available from the Administrator's Guide, you will be linked to the
tu

online Administrator's Guide. This is mostly for administrative purposes: updating


sti

multiple sources with the same information is tedious and error prone, and because online
In

sources can be updated and edited in a much more timely fashion, enabling us to ensure
that you get the most correct and up-to-date information possible.
NS

Although this document may reference Windows versions of the software, it is intended
SA

as a guide only for Unix and Linux operating systems.


©

2. About Secure Shell

From http://www.ssh.com/products/ssh/ :

"SSH Secure Shell is the de facto standard for remote logins, with an estimated three
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
million users in 80 countries. It solves the most important security problem on the
Internet: hackers stealing passwords. Typical applications include remote system

32

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
administration, file transfers, and access to corporate resources over the Internet.

SSH Secure Shell is intended as a complete replacement for ftp, telnet, rlogin, rsh, and
rcp. It has additional functionality that Berkeley Services don't include: file transfer, X11
forwarding, and TCP/IP port forwarding.

s.
ht
SSH Secure Shell is based on the SSH2 protocol. The secsh protocol is currently

rig
standardized by IETF and the standards process is in draft stage. You can find the current
versions of the drafts at http://www.ietf.org/ID.html "

ull
3. Licensing Questions Answered

f
ns
So, you'
Key v e read=the
fingerprint license
AF19 FA27that comes
2F94 with
998D SSHDE3D
FDB5 SecureF8B5
Shell,06E4
and A169
you are confused: can
4E46

tai
you legally use SSH Secure Shell? Are you required to purchase a license?

re
The Required Caveat: This is a summary and simplification of the license terms intended

or
to help explain them; please see the actual license file for the legal, binding terms and

th
conditions. This information is provided as a courtesy and is not intended to replace the
LICENSE file that comes with the distribution. This information specifically does NOT
Au
apply to SSH Secure Shell for Windows Servers.
2,

SSH Communications Security classifies licenses in two categories: commercial and non-
00

commercial (which includes personal use and educational use).


-2

Commercial licenses cover using the software in a business environment, usually for
00

work for which you will be paid (educational institution employees excepted from this
20

definition).
te

Non-commercial licenses cover those using the software for home or personal use, or as
tu

an agent or user of any educational institution.


sti

There are also two versions of the software: commercial and non-commercial. The main
In

differences in the code include text labels to enable identification of which version is
being used, some license checks for the Windows software, and additional binaries
NS

available for the commercial software which are not distributed freely.
SA

SSH Communications Security does not require payment for non-commercial licenses.
©

Use of SSH Secure Shell on Linux, NetBSD, OpenBSD, and FreeBSD operating systems
is available under a non-commercial license.

IMPORTANT: Please be aware that although SSH Communications Security will gladly
accept
Key bug reports
fingerprint and FA27
= AF19 feature2F94
requests,
998Dsupport for installation
FDB5 DE3D F8B5 06E4 and configuration
A169 4E46 is not
provided if you are using the non-commercial license. See section 10 for information on

33

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
where to obtain assistance with the non-commercial software.

4. Installation

If you are using the non-commercial version of the software, you have the choice of

s.
source for Unix / Linux, while binaries are available for Redhat, SuSe, and Windows

ht
client software.

rig
Installation Instructions:

ull
Installation instructions are well documented in the SSH Secure Shell for Unix

f
Administrators Guide.

ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
SSH Secure Shell for Unix Servers Administrator's Guide

re
http://www.ssh.com/products/ssh/administrator24

or
Please see this location for standard installation instructions for both binaries and source

th
code.
Au
Following are the standard source code installation instructions.
2,

After unpacking the source code, change to the source directory and do the following:
00
-2

$ ./configure
$ make
00

# make install
20

5. Setup for Special Circumstances


te
tu

There are some specific functionality or compatibility options which are not available
through a standard install, and all of them require you to compile the source code. You
sti

can type ./configure --help from the source directory to list all options available at
In

compile time. This section gives the configure options for the most common special
setup situations. This section is intended to provide a starting point for compilation -
NS

once compiled, please see the Administrator's Guide for full instructions on setting up
these features.
SA

a) Chroot functionality for sftp


©

b) Kerberos support
c) PAM support
d) RSA SecurID support
e) TCP Wrappers support
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
a) Setting up chroot functionality for sftp:

34

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
IMPORTANT !!! PLEASE NOTE: This feature is only supported on Linux, AIX and
Tru64, and is known to not work on Solaris or HP-UX. A chrooted environment can be
established only if static builds can be made as then no shared libraries are used.

s.
$ ./configure --enable-static

ht
$ make

rig
# make install

ull
There are additional steps that must be taken to complete the set up. Please see the
online Secure Shell for Unix Servers Administrator's Guide at (the URL was split into

f
two lines for typographical purposes):

ns
http://www.ssh.com/products/ssh/administrator24/Using_Chroot_Manager__ssh-
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
chrootmgr_.html

re
b) To set up Secure Shell with Kerberos support:

or
th
You must already have Kerberos setup on the machine prior to compiling Secure Shell
with Kerberos support. Secure Shell will detect if you have Kerberos5 installed. If for
Au
some reason Kerberos5 is not found, you can specify the location as follows:
2,

$ ./configure --with-kerberos5=[KRB_PREFIX]
00

$ make
-2

# make install
00

There are additional steps that must be taken to complete the setup. Please see the online
20

Secure Shell for Unix Servers Administrator's Guide at:


http://www.ssh.com/products/ssh/administrator24/Kerberos_Authentication.html
te
tu

c) To set up Secure Shell with PAM support:


sti

No special options are required during the compile to enable PAM support, but this
In

feature is not available from binaries. A standard install will work (from the ssh source
directory):
NS

$ ./configure
SA

$ make
# make install
©

There are additional steps that must be taken to complete the setup. Please see the online
Secure Shell for Unix Servers Administrator's Guide at (the URL was split into two lines
for typographical purposes):
http://www.ssh.com/products/ssh/administrator24/Pluggable_Authentication_Modules__
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
PAM_.html

35

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
d) To set up Secure Shell with RSA SecurID support:

From the ssh source directory:

s.
$ ./configure --with-serversecurid=/PATH --with-clientsecurid

ht
$ make

rig
# make install

ull
Replace /PATH with the absolute PATH to the directory containing the
following files:

f
ns
sdclient.a
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
sdacmvls.h

re
sdconf.h
sdi_authd.h

or
sdi_size.h

th
sdi_type.h
sdi_defs.h Au
The above files are normally in /top/ace/examples
2,
00

Note: If you do not want to make the compilation as root, make sure that all the above
-2

files are readable.


00

There are additional steps that must be taken to complete the setup. Please see the online
20

Secure Shell for Unix Servers Administrator's Guide at:


http://www.ssh.com/products/ssh/administrator24/SecurID.html
te
tu

To enable TCP Wrappers support within Secure Shell:


sti

$ ./configure --with-libwrap=/path/to/libwrap.a
In

$ make
# make install
NS

The typical approach is to set up /etc/hosts.deny to refuse everyone, and /etc/hosts.allow


SA

to only allow in trusted hosts as follows:


©

/etc/hosts.deny
ALL:ALL

/etc/hosts.allow
sshd2:.ssh.com
Key foo.bar.fi
fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
sshdfwd-X11:.ssh.com foo.bar.fi

36

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Secure Shell will now use these files to filter access. Based on the files above, users
coming from any host in the ssh.com domain or from the host foo.bar.fi are allowed
access, while anyone else is denied access. See the documentation for TCP Wrappers for
more information on the /etc/hosts.allow and /etc/hosts.deny files and their format.

s.
ht
6. Secure Shell File Names and Locations

rig
The server configuration file is located in the /etc/ssh2 directory and is named

ull
sshd2_config .

f
The server binary is located in the /usr/local/sbin directory and is named sshd2 .

ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
The system client configuration file is located in the /etc/ssh2 directory and is named

re
ssh2_config .

or
The client binaries are located in the /usr/local/bin directory and consist of the following

th
files: ssh2, scp2, sftp2, sftp-server2, ssh-add2, ssh-agent2, [ssh-askpass2], ssh-chrootmgr,
ssh-keygen2, [ssh-pam-client], ssh-probe2, ssh-pubkeymgr, ssh-signer2
Au
[The bracketed files exist only in some configurations.]
2,

The optional user-specific configuration file is located in the $HOME/.ssh2 directory,


00

and is named ssh2_config


-2

Each system's own host keypair is located in the /etc/ssh2 directory, and consists of the
00

following files: hostkey, hostkey.pub


20

When each user connects to a server for the first time, they are asked if they would like to
te

accept the server's public host key. These keys are stored in the $HOME/.ssh2/hostkeys
tu

directory. The user will have a separate key for each machine they have connected to.
sti

Please see the appropriate man pages for more information on each of the binaries and
In

configuration files. Files which are specific to authentication are discussed in the
Secure Shell for Unix Servers Administrator's Guide:
NS

http://www.ssh.com/products/ssh/administrator24/ under the setup instructions for the


authentication.
SA

7. Authentication Methods
©

Secure Shell has many different authentication methods. The choice of which
authentication method(s) to use depends on your environment, your network's setup, and
sometimes, what you are trying to accomplish with Secure Shell.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Following are brief descriptions of the different authentication methods supported by

37

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Secure Shell. For setup instructions on each of these, please see the online Secure Shell
for Unix Servers Administrator's Guide at :
http://www.ssh.com/products/ssh/administrator24/

Password

s.
ht
Password authentication is the default authentication method, and is already setup when

rig
Secure Shell is installed. Password authentication can use either the /etc/passwd file or
the /etc/shadow file. This authentication method almost always requires user interaction.

ull
User Public Key

f
ns
Userfingerprint
Key Public Key= authentication
AF19 FA27 2F94 must be setup
998D FDB5onDE3D
a per-user
F8B5basis. Each user
06E4 A169 4E46generates a

tai
public keypair, copies the public key of the keypair over to the server to their ~/.ssh2

re
directory on the server, and then may need to edit the /etc/ssh2/ssh2_config file on the
client to add publickey to the AllowedAuthentications line. The system administrator of

or
the server may also need to edit the /etc/ssh2/sshd2_config file. An identification file on

th
the client, and an authorization file on the server also need to be created. Once that is
done, each user authenticates to the server by providing the passphrase they selected
Au
when generating the keypair. Users can also use ssh-agent2 and ssh-add2 to store their
identities in memory so that they do not have to repeatedly type their passphrase. When
2,

ssh-agent2 and ssh-add2 are used, public key authentication can be used for non-
00

interactive logins if the identities are already stored in the ssh-agent2.


-2

Hostbased Authentication
00
20

Hostbased authentication uses the client machine's public hostkey to authenticate the user
to the server. Hostbased authentication requires copying the client's hostkey over to the
te

server, editing both the client's /etc/ssh2/ssh2_config and the server's /etc/sshd2_config,
tu

and creating a .shosts file in the user's home directory on the server. Hostbased
authentication, once set up, can be completely non-interactive - this is the easiest
sti

authentication method to use for scripting and automation of tasks (such as backups run
In

through cron jobs).


NS

PAM
SA

Pluggable Authentication Module support has been added to Secure Shell for Unix as of
version 2.4. PAM support means that many other forms of authentication, such as
©

RADIUS, can also be used with Secure Shell via plug-ins for PAM. Setting up PAM
requires compiling the source code, some edits to the Secure Shell server and client
config files, and edits to the PAM config file.

Kerberos
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

38

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Kerberos authentication is also available for Secure Shell. Setup may require compiling
the source code and changing the Secure Shell server and client config files. Kerberos is
mainly used in educational institutions.

RSA SecurID

s.
ht
RSA SecurID support was added to Secure Shell as of version 2.4. SecurID support will

rig
require compiling the source code, as well as various other setup procedures. SecurID
support adds a strong One-Time-Password authentication method to Secure Shell.

ull
8. Configuration

f
ns
The fingerprint
Key purpose of=this
AF19section
FA27is2F94
to explain some DE3D
998D FDB5 of the F8B5
options available
06E4 for configuring
A169 4E46

tai
Secure Shell to suit your environment. For specific instructions on how to set up some of

re
these options, please see the online Secure Shell for Unix Servers Administrator's Guide
at:

or
http://www.ssh.com/products/ssh/administrator24/

th
You can also check the man pages for the config files, man ssh2_config and man
sshd2_config, as well as the man pages on the commands themselves for further
Au
information.
2,

Client and Server Configuration Options


00
-2

The following options are available in both the client config file,
/etc/ssh2/ssh2_config, and in the server config file, /etc/ssh2/sshd2_config.
00
20

AllowedAuthentications
te

This option is used to specify which authentication method(s) you would like to allow.
tu

Order is important here - the methods are attempted in the order in which they are listed.
Please see the man page for the config file for descriptions of the values permitted.
sti
In

Ciphers
NS

Ciphers is where the cipher can be specified that you would like to use to encrypt the
connection. Please see the man page for the config file for descriptions of the values
SA

permitted.
©

MACs

MACs is where you can specify the message authentication code used. Please see the
man page for the config file for descriptions of the values permitted.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Server Only Configuration Options

39

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
The following options are only available in the server config file, /etc/ssh2/sshd2_config.

RequiredAuthentications

s.
RequiredAuthentications defines which authentication methods are required before a

ht
connection is permitted. This works in conjunction with AllowedAuthentications. Please

rig
see the man page for the config file for descriptions of the values permitted.

ull
AllowGroups, AllowHosts, AllowShosts, AllowUsers, DenyGroups, DenyHosts,
DenyShosts, DenyUsers, AllowTcpForwarding, AllowTcpForwardingForUsers,

f
AllowTcpForwardingForGroups, DenyTcpForwarding, DenyTcpForwardingForUsers,

ns
DenyTcpForwardingForGroups
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
re
These can all be used to filter access to the sshd2 daemon and to filter TCP forwarding
access in a fashion similar to TCP Wrappers. Please see the man page for the config file

or
for descriptions of the values permitted.

th
BannerMessageFile Au
BannerMessageFile specifies the path to the message sent to the client before
2,

authentication. The default is /etc/ssh2/ssh_banner_message , but you can change this to


00

/etc/issue or /etc/issue.net if you already have that set up.


-2

PermitRootLogin
00
20

PermitRootLogin is where you can chose to accept or deny remote root logins to Secure
Shell. You can also chose nopwd, which means that only a user who has set up non-
te

password authentication (such as hostbased or public key) between their username (user
tu

or root) on the client, and root on the server can login.


sti

9. Why NOT to use SSH1 and SSH1 Compatibility


In

SSH Communications Security officially deprecated the SSH1 software as of January


NS

2001 due to various security issues with the software and protocol.
SA

From http://www.ssh.com/products/ssh/cert/deprecation.html :
©

"SSH Communications Security considers the SSH1 protocol deprecated and does not
recommend the use of it.

As of 1 May 2001, SSH Secure Shell 1.x will no longer be available from this site. Please
modify
Key your product
fingerprint plans
= AF19 FA27accordingly.
2F94 998DThe SSH2
FDB5 protocol
DE3D F8B5is06E4
in theA169
process
4E46of becoming
an IETF standard and is not subject to the security vulnerabilities found in SSH1.

40

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Therefore, we will continue to focus on the newer SSH2 protocol as we offer, update,
upgrade and maintain SSH Secure Shell 2.x (and higher) of the software. If you have any
questions, please contact your SSH representative. "

Other sites which contain information related to the security problems with SSH1 :

s.
ht
http://www.ssh.com/products/ssh/cert/

rig
http://www.cert.org/ (simply type ssh or ssh1 in the search there)
http://www.sans.org

ull
10. Troubleshooting

f
ns
Troubleshooting
Key fingerprint = procedures
AF19 FA27vary
2F94depending
998D FDB5on what
DE3Dtype of 06E4
F8B5 problem you4E46
A169 are attempting

tai
to resolve. The most common problems are broken down into the following categories:

re
Installation

or
Configuration

th
Connection / Authentication
File Copy and Transfer Issues Au
For almost all troubleshooting (installation excepted, of course), your first step should be
2,

to start the server in verbose mode, then try connect with the client running in verbose
00

mode. This will give you more information on what is happening before you continue
-2

with resolving the problem. Redirect the output of both commands to a text file for later
viewing.
00
20

Client:
$ ssh2 -v server_name > ssh2_output 2>&1
te
tu

Server:
# kill -9 `cat /var/run/sshd2_22.pid`
sti

# sshd2 -v > sshd2_output 2>&1


In

Note that the sshd2 daemon will only accept one connection when running in verbose
NS

mode, then will die and must be restarted.


SA

Installation
©

When troubleshooting installation problems, you will need to check the following:

• DO YOU HAVE THE LATEST VERSION OF SECURE SHELL? Often we find


that many people having installation problems have an older copy of the software and
Keyare
fingerprint
running =into
AF19 FA27
issues 2F94
that 998D
have beenFDB5 DE3D
resolved F8B5
in the 06E4
latest A169 of
version 4E46
Secure Shell.
Please check ftp://ftp.ssh.com/pub/ssh for the latest version number and ensure that

41

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
you are using it.
• Are your platform and operating system supported?
• If installing via source code, are you using the correct compiler? See
http://www.ssh.com/products/ssh/portability.html to help answer these questions.
• Are you installing via binary or source code? Are you following the

s.
corresponding installation instructions?

ht
• Have you checked the README for installation instructions for source code or

rig
binaries? See http://www.ssh.com/products/ssh/administrator24/ for complete
installation instructions.

ull
• Are you having trouble getting a specific option to compile in? Have you

f
checked ./configure --help for more information on which compile-time options

ns
are available and their format?
Key•fingerprint = AF19 areFA27
only2F94 998Dvia
FDB5 DE3D
codeF8B5
- have06E4 A169 4E46

tai
Some options available source you checked to ensure that
the option you are trying to use is available with your chosen installation method?

re
Check the online Secure Shell for Unix Servers Administrator's Guide at:
http://www.ssh.com/products/ssh/administrator24/

or
th
Configuration
Au
• If the configuration you are attempting to setup requires special installation-time
2,
instructions, are you sure they were completed? If installed via source code,
00

check the source directory for the config.status to see what options were enabled
at compile-time.
-2

• Have you checked the config file on the server, /etc/ssh2/sshd2_config and the
system-wide config file on the client, /etc/ssh2/ssh2_config, as well as any user-
00

specific client config files, which are located in the user's home directory,
20

~/.ssh2/ssh2_config to ensure that all config files have the option you are trying to
configure enabled (if appropriate)? Try man sshd2_config and man ssh2_config
te

for a very good description of what each option in the config files does.
tu

• If you made changes to the server config file, /etc/ssh2/sshd2_config, did you
sti

HUP the sshd2 daemon?



In

Have you walked back through the configuration steps to ensure that they were all
completed?
NS

Connection / Authentication
SA

• Have you started the client and server in verbose mode and reviewed the output?
©

This is the best way to discover what is causing Connection / Authentication


problems.
• Check the client and server config files to ensure that the authentication method
you are attempting is enabled.
• Did you= compile
Key fingerprint AF19 FA27 Secure
2F94Shell
998Dwith
FDB5support
DE3Dfor TCP06E4
F8B5 Wrappers? If so, did you
A169 4E46
verify that your client is listed in the server's /etc/hosts.allow?
• Was Secure Shell compiled with support for PAM? Check your PAM config file.

42

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
If the authentication you are attempting involves copying keys over to the server, verify
that the keys were not modified during the copying by checking the fingerprints of both
keys. They should match. See man ssh-keygen2 for more information.

s.
If you are trying to setup hostbased authentication, and the setup looks correct, but you

ht
still are being prompted for a password - check your DNS. Nine times out of ten an

rig
incorrectly setup DNS is why hostbased authentication fails if the setup was done
correctly. If you are unsure if this is the problem, and the verbose output is not helpful,

ull
you may want to run the client and server in a higher debug level by using a command
line option: -d 5 or -d 7 should be sufficient.

f
ns
File Copy
Key / Transfer
fingerprint Issues
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
re
If ssh2 works but scp2 or sftp2 is failing, you may want to check your PATH. Make sure
that /usr/local/bin is in the path for the user trying to copy files over. If the problem is

or
sftp2 and you do not wish to add /usr/local/bin to the PATH, then you can edit the

th
/etc/ssh2/sshd2_config file on the server to add the full path to the sftp-server at the
bottom. So, Au
subsystem-sftp sftp-server
2,
00

should change to
-2

subsystem-sftp /usr/local/bin/sftp-server
00
20

Remember to HUP the daemon after changing the config file.


te

11. Where to Find Help with Secure Shell


tu

While the software is free to use, and non-commercial users of Secure Shell are welcome
sti

to submit bug reports and feature requests, non-commercial users are not entitled to
In

support from SSH Communications Security. The good news is that Secure Shell has
been around since 1995, and there are many users in the open-source community who are
NS

already very familiar with Secure Shell, and many web sites containing information about
Secure Shell.
SA

Web resources for all users:


©

Cryptography A-Z
http://www.ssh.com/tech/crypto/
SSH Secure Shell for Unix Servers Administrator's Guide:
http://www.ssh.com/products/ssh/administrator24/
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
IETF secsh drafts:

43

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
http://www.ssh.com/tech/archive/secsh.html
List of Supported Platforms for SSH Secure Shell:
http://www.ipsec.com/products/ssh/portability.html
FTP site for non-commercial downloads:
ftp://ftp.ssh.com/pub/ssh

s.
Note: the following three links are for submissions only - you will not receive a response

ht
to emails sent using these forms.

rig
Compilation Success / Failure Reports:
http://www.ssh.com/tech/ssh_query.html/

ull
Bug Reports:
http://www.ssh.com/support/toolkits/bug-report.html

f
Feature Requests:

ns
http://www.ssh.com/support/toolkits/feature-request.html
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
re
Non-SSH Communications Security web sites

or
There are numerous web sites out there about Secure Shell, but many of them are SSH1

th
specific. Here are a few that are SSH2 or both:
Au
Archives of the old Secure Shell public mailing list (ssh@clinet.fi):
http://www.mail-archive.com/ssh@clinet.fi/
2,

The Secure Shell FAQ:


00

http://www.employees.org/~satch/ssh/faq/
-2

The Secure Shell secsh IETF working group:


http://www.ietf.org/html.charters/secsh-charter.html
00
20

If you are a non-commercial user and you require assistance, please check the mailing list
archives (listed above) first. If you are not able to find an answer to your problem, you
te

can send a message to the Secure Shell mailing list:


tu

ssh@clinet.fi
sti
In

There are many helpful people on the list who are very knowledgeable about Secure
Shell, including some of the Secure Shell developers from SSH.
NS
SA
©

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

44

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Appendix C
Setting up Public Key Authentication for Secure Shell

Secure Shell Generated Keys

s.
ht
1.Ensure that on the client, the /etc/ssh2/ssh2_config file contains the line:

rig
AllowedAuthentications publickey, password, hostbased

full
2.Create a keypair on the client using the ssh-keygen2 command:

ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
$ ssh-keygen2

tai
re
You will be asked to enter a passphrase twice. Please choose a passphrase that is difficult
to guess - spaces and special characters are OK. This will create a public key (.pub) and a

or
private key (no extension). The default file names are id_dsa_1024_a.pub and

th
id_dsa_1024_a (both assuming you don't change the filenames or key size, and this is the
first keypair you have generated). Au
3.Copy the public key to the server, to the ~/.ssh2 directory for the user.
2,
00

4.On the client, in the ~/.ssh2 directory for the user, make sure there is an identification
-2

file that contains the following:


00

idkey id_dsa_1024_a
20

or whatever your private key's filename is.


te
tu

5.Ensure that on the server, the /etc/ssh2/sshd2_config file contains the line:
sti

AllowedAuthentications publickey, password, hostbased


In
NS

6.On the server, in the ~/.ssh2 directory for the user, make sure there is an authorization
file that contains the following:
SA

key id_dsa_1024_a.pub
©

or whatever your public key's filename is.

That should be all you need to do to set up public key authentication for Secure Shell. If
you have problems, start both the client and server in verbose mode (-v) to see what is
Key fingerprint
happening when= the
AF19 FA27 2F94
connection 998D FDB5 DE3D F8B5 06E4 A169 4E46
is attempted.

45

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
PGP Keys

SSH Secure Shell only supports the OpenPGP standard and the PGP programs that use it.
GnuPG is used in the following instructions. If you use PGP, the only difference is that
the file extension is pgp instead of gpg.

s.
ht
1.Copy your private keyring (secring.gpg) to the ~/.ssh2 directory on the client.

rig
2.Create an identification file in your ~/.ssh2 directory on the client if you don't
already have one. Add any ONE of the following lines to the identification file:

ull
PgpSecretKeyFile <the filename of the user's private keyring>

f
IdPgpKeyName <the name of the OpenPGP key in PgpSecretKeyFile>

ns
IdPgpKeyFingerprint
Key fingerprint = AF19<the
FA27fingerprint
2F94 998Dof the OpenPGP
FDB5 key in06E4
DE3D F8B5 PgpSecretKeyFile>
A169 4E46

tai
IdPgpKeyId <the id of the OpenPGP key in PgpSecretKeyFile>

re
3.Copy your public keyring (pubring.gpg) to the .ssh2 sub-directory in the user's home

or
directory on the server:

th
scp2 pubring.gpg user@server:/home/user_name/.ssh2/
Au
4.Create an authorization file in your .ssh2 sub-directory in the user's home directory on
2,

the server. Add any ONE of the following lines to the authorization file:
00
-2

PgpPublicKeyFile <the filename of the user's public keyring>


PgpKeyName <the name of the OpenPGP key>
00

PgpKeyFingerprint <the fingerprint the OpenPGP key>


PgpKeyId <the id of the OpenPGP key>
20
te

Now you should be able to login to the server from the client using public key
tu

authentication.
sti

Try to login:
In

client>ssh server_name
NS

Passphrase for pgp key "user (comment)<user@client>":


SA

Enter your passphrase for the key. A Secure Shell connection will be established.
©

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

46

© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.